Tuesday, November 12, 2024
Homecyber securitySSLoad Malware Employs MSI Installer To Kick-Start Delivery Chain

SSLoad Malware Employs MSI Installer To Kick-Start Delivery Chain

Published on

Malware protection

Malware distributors use MSI installers as Windows OS already trusts them to run with administrative rights by bypassing security controls.

For this reason, MSI files are a convenient means of spreading ransomware, spyware, and other malware that can be passed off as genuine software installations.

Cybersecurity researchers at Intezer recently discovered that SSLoad malware employs MSI installers to kick-start the delivery chain.

- Advertisement - SIEM as a Service

SSLoad Malware Employs MSI Installer

System infiltration, information gathering, and payload delivery are some of the operations in which SSLoad, a silent malware, is engaged.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

An active campaign using SSLoad recently involved a decoy Word document carrying an SSLoad DLL, which executed Cobalt Strike, and a phishing email leading to a fake Azure page that downloaded a JavaScript script as well as an MSI installer for loading the SSLoad payload.

Since April 2024, SSLoad has been targeting victims, and its multiple delivery methods hint at it being used for MaaS purposes, consequently showing how versatile it can be.

The researchers analyzed an MSI installer that initiates a delivery chain with multiple loaders, eventually deploying the final SSLoad payload.

The first PhantomLoader is a 32-bit C/C++ DLL using self-modifying techniques and XOR decryption to crack the next loader stage.

This second loader loads the SSLoad payload, a 32-bit Rust DLL. SSLoad decrypts a Telegram channel URL used as a dead drop to get the command-and-control server address.

SSLoad Telegram channel (Source – Intezer)

The C2 decoder decrypts the C2 address and user agent and sends an HTTP GET request to download the next payload stage from the C2 server.

This SSLoad variant uses a custom method to decrypt strings with the RC4 algorithm. Each string is encrypted with its own distinct key stored alongside it. 

The key is derived from the encoded blob’s first 6 and last 7 bytes. After calculating the encrypted string’s length, it is Base64 decoded and decrypted with RC4 using the derived key, extracting the Telegram channel URL. 

The payload is another Rust file that creates a mutex for anti-analysis, checks for debugging, dynamically loads DLLs, and derives rolling XOR keys through arithmetic operations to decode strings uniquely.

Besides this, it uses RtlGenRandom for unique folder naming, resolves library calls dynamically by hashing module and function names, and employs common malware techniques like manipulating the PEB for evasion.

The JSON fingerprint is sent to the C2 using HTTP POST, and Load makes an HTTP request containing the host ID.

The client checks for available tasks by sending a post request with a unique SSLoad host identifier.

Based on task availability, C2 responds with an encrypted job structure in RC4 and base64 encoded format, with a command (only “exe” is currently used for downloading payloads) and arguments.

It also demonstrates how complex it can be as shown by its use of Rust downloader, which is made up of dynamic string decryption and a new loader that includes an anti-debugging mechanism in place.

To combat such intricate malware campaigns effectively, continued monitoring and advanced threat detection are required.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...